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final word on language and nutrition 

The Japanese eat very little fat and suffer fewer 
heart attacks than the British or Americans. 

The French eat a lot of fat and also suffer fewer 
heart attacks than the British or Americans. 

The Swedish drink very little red wine and suffer 
fewer heart attacks than the British or Americans. 
The Italians dri nk excessive amounts of red wine 
and also suffer fewer heart attacks than the British 

or Americans. 

CONCLUSION: Eat and drink what you like. 
Speaking English is apparently what kills you. 
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Cyber Threat Profile 
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Be prepared! 

Tqgi<:i>lin:iJiP ^|:|pcp 
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A Question of definition 


An incident is any event that deviates from the standard and 
expected operation of a system or service 

Standard - who defines the standard? 

Expected operation - I had expected Microsoft Fatal Error! 

An incident is the act of violating an explicit or implied 

security policy. 

Security policy - what's that? 

My system can't be violated because I have no policy! 

An incident occurs, if IT security is impaired/jeopardized by 
an IT security gap or a breach of IT security. 

What is with the loss of credit or reputation? 

What is with a breach of duty or infringements? 
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A Definition with questions 


What can be happen? 

What is the risk for my division or 
eompany? 

How can I minimize the risks? 

If IT-Security, Personnel Data Protection, 
Security Service, Disaster Reeovery ... 
doesn't work - what's than? 

How can I react if my company is impaired 
or jeopardized? 
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What is an incident? 


Incident Categorization 

• Increased access 

• Diselosure of information 

• Corruption of information 

• Denial of service 

• Theft of resources 
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Increased access 
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Social Eneeneerine wanted 

sZP C? pi L s 


War Driving 


Information 

Gathering 


Development 


Relationship 


Exploitation ' 
of 

Relationship 


VID/PID 


Fitom>alled?| D< 


B\ROOT_HUBWID1039&RD7001iREV0007 

.B\RaOT_HUB&VID10mRD7001J.REV0007 

■B\UNKN0V/N 

■B'.VMd 046dtPid cSOBiRev 1210 
■B WkJ_046dtPid_c3(®flev_1 21 tBJvl l_00 
B Wd_Q46d&Pid_c3I^Rev_1 21 (B.M l_01 


Tapping Fibre Optical Cable 


Peiipheiique d'inlertace uHlisateur USB Ni 


I USBWid_07818fid_CI002iRev_OCI03 


Petiphetique de stockage de masse USB Ye: 


The Social Engineering Attack Cycle 


While social engineering attacks are as varied as any criminal act, 
a common pattern has emerged that is often recognizable and 
preventable. 


[gsniffei-for USB 


Scanning and Sniffing 


Log size (in bytes) : |-1 


fcitatus: Idle 


nc. upen ron scanner 


©Volker Kozok2008 


8 








Disclosure of information 











Keylogging 



Printer - Copying 






Bundesnachrichtendienst 

Liechtensteining 


finanzamt( 
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Disclosure of information 
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US-Ministenum vermisst mehr als 1000 Laptops 

25. Sep 2006 15;24 
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Corruption of information 
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HOME > NEWS > LOCAL 


Data for 450,000 mistakenly flic iBoston(Plobt 
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BDJ unterstiitzt Folterforderung 
von Bundesinnenminister 
Schauble 


released 

Social Security numbers on disks 

By Michael Naughton, Globe Correspondent | Octo 

The Massachusetts Division of Professional Licensure h; 
internal probe and announced plans to review its protoco 
Social Securitv numbers of about 450.000 licensed orofe 
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Berlin/Karlsruhe. 30. Dezember2005 

Der Bund Deutscher Juristen (BDJ) unterstutzt die 
Folterforderung von Bundesinnenminister Dr. Wolfgang 
Schauble. Aniasslich der aktuellen Debatte stellt der BDJ- 
Vorsitzende und Strafrichter am Bundesgerichtshof Dr. 
Claus Grdtz War: „Das Leben unschuldiger Opfer besitzt 
einen hOheren Wert als die kbrperliche Integritatvon 
Verbrechern. Wir mussenjetzt Tabus brechen. Die 
Gewinnung von Aussagen mittels leichter 
Folterma&nahmen und die Verwertung solcher Aussagen 
Sind zukunftig mbglich zu machen. Unsere Behbrden 
stehen unter ungerechtfertigtem moralischen Druck, wie 
der Fall Gafgen und dieTerroristenverfolgungzeigen." 
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Supermarket loses 4.2 million credit 
card details 

Supermarket identity sweep 


. Faked US-Standard Form W-9095 




et ^ mi) 


Personal data for 650,000 customers 
vanishes into thin air 
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Denial of service 
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DDoS 


Selection « ,' , New « , Incident , Find «_ 


• i/ Ji. i3 li’ Q 


^Incident 

Name ; Steve Johnson 

Customer ID: MS2947 
Location: Headquarters 

Department: Administration 
Company; LBLSoft, Inc. 
Phone: 360-397-1004 

Email : sj@lblsoft.com 

Customer History 
Open ; 4 Suspended : 

Closed : 1 Reopened : 

1 


Additional Customers « 
Related Incidents 


Details || Security j| Asset Scans j 


Number; 54TD6A1643 
I Open 


Priority; iMedium 


Hardware 

Printers 

Laser 


Assignee : (Barry White Q,’' Effective SLA: Top Level Support 

Group; (Administration Support Followup; (4/30/2005 }} 

Opened; 4/28/2005 12:59:05 PM by Barry White via Direct Entry 

Modified: 4/28/2005 1;04;15 PM by Barry White 

Closed: 


Issue History ■ Attachments 


I 


annot access printer in the Sales division. The Find a Printer option is not available. 


Resolution : ^ 




From the Start men 
connection. Be sure 
Find a Printer optior 


Cannot access printer 




Buffer Buffer Overflow 

Overflow 
Attacks 


EtttT. PBiMHr 
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Denial of service - Disaster 









Denial of service 


rr T 1 

fffddTOi 
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Theft of resources 
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Case Example - Web-Defacement 


heise online - Nach Hack uberprUft Bundeswehr Sicherheit ihrer Website 


Sie sind Gast 
Einloggen| Registrieren 

|Suche ... 

7-Tage-News 

News-Aiclm' 

News imteiwegs 
Newsletter 
News eiiibiiideii 

Telefontarife 

Intemettarife 

Intemetstorungen 

Software/Download 

rr-Markt 

heisetreflF 

Leserforum 
English Pages 

Abo & Heft 
Veranstaltungen 
Kontakt 
Mediadaten 


Nach Hack uberpriift Bundeswehr Sicherheit 

ihrer Website CO vorlesen 



make love, not war ;) 


Raoij 


Duka 


Gonzo 


greets fly out to: 

littleSmoke, SunSun23 & r3d33m3r 
and especially to the great Blues Brothers 

that you're not paranoid doesn't mean they aren't nght behind you! 


regards, 

Dr. Gonzo & Raoul Duke 


"Am Sonntag, den 19. Januar, haben sich bislang unbekannte Tater in den 


1 

Hilfe 



T op-Meldungen 


Dell liefert ab heute Ubuntu- 
PCs aus 

Griines Lichtfiir 
Vers chatfling der 
H ackerp aragraphen 

Plattformunabhangiger 
Op enOffic e- Wurm 
aufgetaucht 

US-Analysten prophezeien 
das Ende von Skype & Co. 


Aktuelle Meldungen 


Microsoft vertagt 
Entwicklerkonferenz 

F ac eb ook veroffentlicht 
Pro grammiers chnittstelle 

VA Software benennt sich in 
Sourceforge um 

RFC gegenSpam 

Arabische Regulierer woUen 
Roaming-Preise senken 



Bundeswehrs enter in Strausberg gehackt und eine Umleitung von der Website 
bundeswehr.de auf eine andere gelegt", bestatigte ein Sprecher der Bundeswehr 
gegeniiber heise online. Fur 90 Minuten war die Site der Bundeswehr nicht 


Chat-V erhalten von Kindem 
wird erforscht 

Micropro c e s s or Rep ort: 
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IMT - Incident Management Team 
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„Wake up cair‘ - Identification 



Domain User User Pwd 
fpnwclnt [1 0] 
fpnwcint checksum [4] 
Generate Security Audit 
getadmin [3] 

NT Help Overflow [17] 
NT RAS Overflow [23] 
NTKnownDLLsList [17] 
NTPrivFix [3] 
NTScreenSaver [17] 
NTSP4AuthError [17] 



Gj)\ 


TjaJisi 

USi\iSiz 


Sie sind Gast 

Einloggen j Registrieren 


Suche ... 


"3 



‘ Melduiigeii des Tages 

EU-Gericht bestatigt MiUionen-BuAe ge; 

Die EU-Kommission hatte im Mai 2003 festgestellt, 
beherrschende Stellung auf den Markten fiir den dir 
Telefonfestnetz missbrauche. mehr. . . 

Keiiie Aktioii des EU-Pailainents gegen 
bei ARD uiid ZDE 

Das EU-Parlament fordert angeblich die Kommissi< 
auf, nach dem offentlich-rechtliche Ferns ehsender ir 
Sendungen im Original mit Untertiteln ausstrahlen m' 
FeWinterpretation erweist. mehr. . . 





1 63Atbailsbeieich j Volker Koiok • 

iiogang x| 

a 

Mail @ 

»!■ 

s 






4^ Eingang 

— 

— 


a 

\fi! Entwurfe 




s 

^ Gesendet 
0 Archiv 



ri 

a 

9 Papierkofb 
OS DiskjMionen 



L: 


Q Regein 





Vorlage 

CD Gnjppenkalander 




Q 

^ Alle Dokumente 



i' 

@ 

im Femschreiben 




Si 



— 





! 



SAP/HCM-PB flier Schlep 


Report of 
Security Violations 



Wilg 16.11 2006 09:49 46 695 ^ QB-TagungAgenda 

» 16.11.200610.10 656.482 ^ Antwort. Otierrtierunssh 

16 11 2008 1 0:43 1 993 Aniwcrt BenLitzerMgmt 

16.11.200610:48 69.650 S' ContentfiKer. SIchertieit 
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Immediate Response - Bw 


• Step 1 . 1 Carry out Initial Analysis and Start 
Documentation 

• Step 1 .2 Preserve the Scene - Screening 

• Step 1.3 Contact IT specialist personnel 

• Step 1 .4 Preserve the Evidence 

• Step 1.5 Determine the Extent and Perform 
a Risk Analysis 

• Report to the Management 
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f f f dd70 : 
if f f ddec : 
ifffdd$ 0 : 
if f f ddiiO ; 

if f f ddbO ; 
if f f ddco : 
fffdddO: 
if f f ddeO ; 
if f f ddf 0 : 
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ifffdElQi 

\b) quit 
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1 
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C 
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Step 1 .0 Document everything 
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f f f dd70 s 
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progrti 
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1 
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Questions 


• Who has carried out the action? 

(Suspects, administrator, disciplinary superior, IT security 
officer, superior agency, service provider, legal adviser) 

• What action was carried out? 

(e.g. report, backup, audit, interrogation) 

• Where was the action carried out? 

(e.g. search of official room building 16, data backup in the 
server room building 73, readout of log files in the IT 
security officer’s official room, photos in room 166, etc.) 

• How and with what means was the action carried out? 
(data backup on CD, preserving evidence with digital 
camera, analysis of computer with the forensic tool 
“Encase“, etc.) 
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Step 1 .0 Document everything 


Capture everything that oecurs in detail: 

- names 

- times 

- events as they actually occurred 

- Date-Time-Group (DTG) 

- action 

- List of all computer systems, devices and 
applications affected by the investigation 

- Hard-/Software information 

- Remarks (inch reference to documentation) 
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»f f f dd70 s 
f f ddSO : 
f f fdd$0 : 
f f ddaO E 
f f f ddbO ; 
»f f f ddco : 
if f f dddO ; 

If f f ddiG ; 

f fddf 0 ; 
if f f dfeOO : 
ifffdElG; 

Lb) quit 
f progrti 
d -c 
^0 cO: 
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Log Book (example) 


Serial 

No. 

DTG 

Action 

Remaiks 

1 

23 Feb 08 
09.45 

Sys admin Mi . Smith reports IT seciu ity 
violation 


2 

23 Feb 08 
10.25 

Checking of the user account by IT seciu ity 
officer fi om Admin workstation 03 (R.105) 

Image copied and 
saved on CD. 

3 

23 Feb 08 
10.45 

Report to management. Order to initiate 
investigation 


4 

23 Feb 08 
11.45 

Checking of Client 1074, network addi ess 
123. 123.145. 23 in room 143 


5 

23 Feb 08 
12.13 

Seem ing data at Admin Mi'.Newman. 
Seiziu e of data cairiers. 

Storage in room 143 

6 

23 Feb 08 
12.55 

Locking of user account by sys admin Mi\ 
Hubble. 


7 

23 Feb 08 
14.05 

Consulting hotline at CERT XY about 
fiuther action 


8 

24 Feb 08 
09.05 

InteiTogation of suspect by CIO Mi*. Jones 

• * » •vV-v-Vv'VV-XVvV'vVv-vV-vV' 

Record of 
inteiTogation held 
by Personnal 
Officer 

9 

24 Feb 08 
10.50 

IT seciu ity violation report filed witli IT 
seciuity officer of the organization aiea 

Enclosiue 12 
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Step 1 .0 Document everything 







Step 1 . 1 Initial analysis 


Detection - First Reaktion - Action 

„Need to know princip“ 
„Undercover investigation^ 

Immidiate Reaktion 

Motto from the Signal Corps 
„Thinking - pushing - speaking^ 
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f f f dd70 s 
f f f ddSO ; 
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lb) quit 
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Step 1 .2 Preserve the scene-screening 


• closing off the scene to prevent access of 
unauthorized personnel 

• identifying the staff working/employed in 
the office 

• preventing the perpetrator or perpetrators 
from further accessing the IT systems of the 
agency 

• In addition, photographs should be taken of 
rooms, IT configurations and evidence, 
before making any changes to the scene. 
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»fffdd70 
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fffdd^O 
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fffddbO 

fffddcO 

ifffdddO 

Lfffriirifln 


Stop the „Experts 
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Step 1.3 Notify appropriate personnel 


Internal 


External 


Additional 


•CIO 

• Administrators (Network & Security) 

• Security officer 

• Security analyst/ Forensic specialist 

• Auditor 


• Industrial CERT 

• Law Enforcement 

• Forensic specialist 

• Recovery specialist 


• Legal Advicer 

• Public Relations 
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f f f ijdM ; 
ffrtdSO: 
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progrti 
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Step 1.3 Notify appropriate personnel 





• available 

• silent 

• trained 

• decisive 

• knowledgeable 


Assistant Technical Incident Officer • aSSCrtivC 


Built up IRC 

Incident Response Capability 
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Step 1 .4 Preserve the evidence 


Ensure the integrity and availability of the evidence! 

• Destruction 

• Theft 

• Changes 

• Loss of data 

• Tainting the evidence 


Done by suspects, attacker 

AND 

own „IT-experts“ 
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»fffdd70 

^fffddSO 

fffdd^O 

^fffddAO 

fffddbO 

fffddcO 

ifffdddO 

Lf^frilrian 


ffffdElO 
Lb) quit 


-C 

^0 cO 


Stop the „Experts 


07 
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Step 1.5 Determine the extent 


• Which and how many systems and data are 
actually or likely affected? 

• Are there internal or external activity? 

• Are other computer affected? 

• Are IT security systems affected? 

• Is the threat likely to spread? 

• Are IT systems of external parties affected? 

• Is the incident occurred or ceased? 


The risk assessment/initial risk analysis may result 
in additional measures to maintain IT security. 
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Step 1.5 Verify the 

Results of Verification: 

- verified and proceed 

- undetermined and proceed 

- refuted and terminate i 
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Reporting 


A report should include the following information: 

• Incident designation; 

• aetivity designation; 

• point of eontaet/telephone number; 

• an aeeount of the faets (e.g. a deseription of 
IT equipment/software/project); 

• damage established; 

• measures taken. 
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Document everything 
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rTTTUueu : 
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progrti 
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Step 2.1 Implementation of immediate 
measures to safeguard IT Security 


Installation of patches or updates 
Setting of filters in Firewall/Proxy systems 
Performance of workarounds 
Closure of ports 

Deactivation of user accounts, applications or 
other software 

Shutdown of clients 

Shutdown of domains 

Closure/blocking of Firewall 
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Step 2.1 Implementation of immediate 
measures to safeguard IT Security 
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Step 2.2 Collecting evidence 



Internet 
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Step 2.3 Analysis evidence 



INTERNET CRIME COMPLAINT CENTER 

... an FBI - WVV3C Partnership 
Home File a Complaint Press Room About ICS Contact Us 
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Forensic guidelines / principles 


1 . No action should change data 

• Write protection, sterile media, Bit stream copy 

• first incident response 

2. People dealing with evidenee should be 
eompetent 

3 . A eomplete audit trail / documentation is 
neeessary 

• Photo, video, printouts, log book 

4. Identification / verifycation (Hash) 

5 . A forensic officer should not be part of a 
investigation unit 
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Forensic equipment and principles 


• Portable equipment 

- Forensic workstation, write protection, video, camera, 

- software tools (Encase, Hook, FTK, Linux, Smart, ...) 

• Laboratory 

- All kind of standard machines, password/decryption 
clusters 

- Different networks, storage capacity 

- software tools (Encase, Hook, FTK, Linux, Smart, ...) 

• Communication plattforms 

- Local 

- European High Tech Crime Web - EVPN 
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Image production 



Writeblocker with Firewire-Interface connected to the Storage PC 


Back-Up 

Hard-disk 


Court 

exhibit 
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rE E 1 uucu 

»fffdd70 
^fffddSO 
fffdd^O 
^fffddAO 
fffddbO 
fffddcO 
ifffdddO 
^fffddiG 
fffddfO 
ffffdeOO 
ffffdElo 
Lb) quit 


'* -c 
^0 cO 


mz^ 07 


Step 2.3 Analysis evidence 



Developed by the U.S. Treasury Department IRS Criminal Investiqation 
Electronic Crimes Program in conjunction with other U.S. Federal Agencies 


Copyriglit 2001-2004. Use of this product and the data it creates is governed by the ILook 
End User License Agreement (EULA). By using this product you acknowledge and agree to 
be bound by the terms of the ILook EULA. All other use is expressly prohibited. 


ILook IXinager, RELEASE: ul.O Bug 25 2004 F2 for help 

boot : 
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Analysis of internet use ! 



Case Management 


Case Organizer 


Cases 



Humpe (2) 


Archived Cases 


=> TestCase (1 ) => Humpe (2) => Humpe (3) 


Setup Help (FI) File View 

Associated Documents (0) 

Evidential Media 
Humpe (3) 

^Attached Media 

V Auto load saved filesystem mapping 
^ TestCase 

V Work on this one? 

User Category Definitio n (0) 


□ 


I File List | ThumbNail View 

Lji 

Drag a column header here to group 

Name 



Map view Thread Status Hex View File View Folder Properties Search Results Stream Analysis 

Humpe p), Size 6,006 GB, Unused 63,000 KB 
$-'^0-FAT16, Size 1,961 GB, Free 800,157 MB 


•;5C" Free Space 

Config.Msi 

Dokumente und Einstellungen 
- Administrator 

f isJ Anwendungsdaten 

Hgj Hsra 

JSj Desktop 

I Druckumgebung 
ii Eigene Dateien 

Eigene Bilder 
I Favoriten 


stem Container Sahnoe 
Categories 

iminated Files 
le Name Categories 
9 America Online (AOL) 
IQ Archives 
iQ Audio 
Database 
Email 

Encrypted Volumes 


itioAaty Ops FileTime Diary 

lungen\Administralor\Cookies\ 128 object(s), Folders (0) Files (127) 


Attributes Created Date 


Last Modified Date 


Last Accessed Date 


Stream Name I 


r * j 

15 

Parent Folder 


24.Apr.2005 20:20:36... 

24.Apr.2005 20:20:38... 

Z4.Apr.2005 00:00:00... 

Default I 

INDEX.DAT 

32.768 

DAT 

A— 

24 -Apr .2005 20:20:58 +02 

24 -Apr .2005 23:03:10+02 

24 .Apr .2005 00:00:00 +02 

Default : 

administrator@ivwbox(1 J.txt 

3 

75 

txt 

A-- 

24 .Apr .2005 22:02:28 +02 

24 Apr .2005 22:02:30 +02 

24 .Apr .2005 00:00:00 +02 

Default 1 

ILook71 7_administrator@gmx[1 ].txt 

□ 

183 

;xt 

A— 

24.Apr.2005 22:03:54 +02 

24 Apr .2005 22:03:56 +02 

24 .Apr .2005 00:00:00 +02 

Default 'f 

administrator@gmx[2] .txt 

3 

265 

:xt 

A— 

24.Apr .2005 22:04:10 +02 

24 Apr .2005 22:04:12 +02 

24 Apr .2005 00:00:00 +02 

Default ^ 

administrator@gmx(1 J.txt 

3 

265 

:xt 

A-- 

24 Apr .2005 22:22:18+02 

24.Apr.2005 22:22:20 +02 

24 .Apr .2005 00:00:00 +02 

Default ' 

administrator@servedby ad vertising[1 ] .txt 

3 

115 

Ixt 

A— 

24 Apr .2005 22:22:56 +02 

24.Apr.2005 22:22:58 +02 

24 .Apr .2005 00:00:00 +02 

Default ' 

administrator@advertising(1 ] .txt 

3 

88 

Ixt 

A— 

24 .Apr .2005 22:22:56 +02 

24.Apr.2005 22:22:58 +02 

24 .Apr .2005 00:00:00 +02 

Default ' 

ILook71 8_administrator@paycounter(1 J.txt 

3 

87 

:xt 

A— 

24 Apr .2005 22:39:30 +02 

24 Apr .2005 22:39:32 +02 

24 Apr .2005 00:00:00+02 

Default ^ 

administrator@counter1 1 .sextrackerll ].txt 

3 

90 

txt 

A— 

24 .Apr .2005 22:39:30 +02 

24 Apr .2005 22:39:32 +02 

24 Apr .2005 00:00:00 +02 

Default ' 

Look71 9_administrator@sextracker|1 l.txt 

3 

108 

ixt 

A— 

24.Apr.2005 22:39:30 +02 

24 Apr .2005 22:39:32 +02 

24 Apr 2005 00:00:00+02 

Default ' 

administrator@xxxcounter[1 ].txt 

3 

81 

txt 

A— 

24 .Apr .2005 22:39:34 +02 

24 .Apr .2005 22:39:36 +02 

24 .Apr .2005 00:00:00 +02 

Default ' 

administrator@www.gfj[1 J.txt 

3 

73 

:xt 

A— 

24 Apr .2005 22:40:24 +02 

24 .Apr .2005 22:40:26 +02 

24 .Apr .2005 00:00:00 +02 

Default ' 

administrator© WWW .gf i[2J .txt 


73 

:xt 

A— 

24 Apr .2005 22:40:50 +02 

24.Apr.2005 22:40:52 +02 

24 .Apr .2005 00:00:00 +02 

Default ' 

administrator© WWW .gfisoft ware[1 J .txt 

3 

80 

txt 

A— 

24 .Apr .2005 22:41:06 +02 

24.Apr.2005 22:41:08 +02 

24 .Apr .2005 00:00:00 +02 

Default ' 

administrator©google[1 J.txt 

3 

133 

txt 

A— 

24 Apr .2005 22:46:30 +02 

24 Apr .2005 22:46:32 +02 

24 Apr .2005 00:00:00 +02 

Default ' 

Look720_administrator@ w ww tamosll ) .txt 

3 

84 

ixt 

A— 

24 Apr 2005 22:46:54 +02 

24 Apr .2005 22:46:56 +02 

24.Apr 2005 00:00:00+02 

Default ^ 

ILook721 _administrator©www tamosf 2J.txt [3 

187 

txt 

A— 

24 .Apr .2005 22:46:54 +02 

24 Apr .2005 22:46:56 +02 

24 Apr .2005 00:00:00+02 

Default ' 

II nnk722 adminis#ratnr^5iwww tamnsM Hxt fTl 

187 

•yI 

A... 

f?4 Anr 2005 22-4R-54 +02 

bn Anr 2005 22-4R-5R +02 

bA Anr 2005 00- 00- 00 +02 

hftfautt h 
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IT forensic training 


• Constant need 

- 1 /3 of working time 

- Minimum of 30 days per year 

• budgets 

• Very few speeial forensie trainings 

- International, expensive 

• Laek of national / international eooperation 
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Step 2.4 Evaluation 


The evaluation of the technical 
analysis should be confined to the 
description of the technically 
comprehensible events. 


The technical evidence shall be 
verified, as far as possible, by 
interrogations. 
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rTTTUueu i 

f f f dtJ70 s 
f f f ijdM ; 
ffrtdSO: 
^fffddirO; 

f f f ddbo ; 
fffddcO: 
^fffdddO: 
f f ddeG : 
f fddf 0 ; 
f f fdfeOO ^ 
mdElO; 
lb) quit 
progrti 
hd ■* -c 
hD[>DE) cG3 
1 

iH)20 07^ 
C 

iftun tuir 



Step 2.5 Archiving evidence 

All evidence should be securely 
archived and stored 

Original evidence 
Back-up copy 
Reports 

Supporting documents 
Log-Book 
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rTTTUueu : 

f f f dtJ70 s 

ffrtdSO: 

^fffddirO: 

f f f ddbo : 
fffddcO: 
^fffdddO: 
f f ddeG £ 
f fddf 0 E 
f f fdfeOO E 
mdEld; 
lb) quit 
progrti 
hd ■* -c 
hD[>DE) Cd3 
1 

iH)20 07^ 
C 

iftun tuir 



btep 5 . 1 Additional troubleshooting 

options 


• deletion of infected files/directories 

• reconfigurations 

• updates 

• installing images 

• restart of IT systems. 

• reconfiguring firewall rules 

• installing hotfixes 


©Volker Kozok2008 


48 






f f f dd70 s 
f f f ddSO ; 
f f f<ld90 : 
^fffddftO: 
f f f ddbO I 
fffddcO: 
f f dddO ; 
f f ddeG : 
f Mdf 0 ; 
fffdeOOt 
fffdelD: 
lb) quit 
progrti 
hd -1 -c 
^[>00 

1 

^£0 074 





Step 3.2 Additional recovery options 


When information/data were destroyed 
or manipulated due to an ineident, 
measures must be taken to reeover 
these information/data. In this case, 
measures in accordance with the 
agency’s data protection concept must 
be taken in cooperation with the 
administrator (e.g. backups/recovery). 
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Incident Management Pocket Card 


1 . This pocket card is not a replacement of the Incident 
Management Guide. 

2. Stay calm! Take appropriate actions. Check the 
accountability of the report, verify the facts. If you 
don’t know what to do, ask an expert. 

3 . When personnel-related data are affected, consult the 
data protection commissioner of the agency. 

4. Document everything! Take pictures, if possible. 

5. Consider all unknown activities to be harmful. If the 
computer runs processes that are unknown to you, 
switch it off! (emergency switch-off) Do not perform a 
regular shutdown on a computer with a suspicious IT 
security incident! 


©Volker Kozok2008 


50 





rTTTUueu : 

f f f dd70 s 
f f f ddSO ; 
f f f<ld90 : 
^fffddftO: 

f f f ddbo : 
fffddcO: 
f f dddO ; 
f f ddeG : 
f f Mdf 0 E 
fffdeOOt 
fffdBlOs 
lb) quit 
progrti 
hd -1 -c 
^[>00 

1 

^£0 074 





Incident Management Pocket Card 


6. When you notice download or upload activities, pull the 
power plug or interrupt the modem connection. 

7. Prohibit unauthorized actions! IT or technical staff of othe 
areas required for support only acts as directed. 
Administrators are no investigators, they support you in 
the preservation of evidence. 

8. Ask all persons you do not need for the preservation of 
evidence to leave the affected rooms. 

9. Prevent the suspected person from gaining further access 
to the IT systems! 

10. Never accept help from the suspect! Ask for the passwords 
and do not let the perpetrator, for example, perform the 
logon process him or herself! 

11. If anything fails, pull the plug! 
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Thank you for your 

attention! 






